@lbroth/rothunter 1.0.0-rc.1

package/dist/detectors/skip-tests.js

@@ -0,0 +1,69 @@
+import { makeSourceReader } from '../utils/source-reader.js';
+import { stableHash } from '../utils/hash.js';
+// .skip / .only / xdescribe / fdescribe in tests. .only is HIGH (suite
+// no-op on merge), .skip / x* are MED.
+export function detectSkipTests(input) {
+    const read = makeSourceReader(input.workspaceRoot, input.project);
+    const findings = [];
+    for (const rel of input.files) {
+        if (!isTestFile(rel))
+            continue;
+        const raw = read(rel);
+        if (raw == null)
+            continue;
+        findings.push(...analyseFile(rel, raw));
+    }
+    return findings;
+}
+const SKIP_PATTERNS = [
+    { re: /\b(describe|it|test)\.skip\s*\(/g, kind: 'skip', label: '.skip(...)' },
+    { re: /\b(describe|it|test)\.only\s*\(/g, kind: 'only', label: '.only(...)' },
+    { re: /\b(xdescribe|xit|xtest)\s*\(/g, kind: 'skip', label: 'x-prefixed skip' },
+    { re: /\b(fdescribe|fit)\s*\(/g, kind: 'only', label: 'f-prefixed only' },
+];
+function analyseFile(file, raw) {
+    const out = [];
+    for (const p of SKIP_PATTERNS) {
+        p.re.lastIndex = 0;
+        for (const match of raw.matchAll(p.re)) {
+            const line = lineOf(raw, match.index);
+            out.push({
+                detectorId: 'skip-tests',
+                severity: p.kind === 'only' ? 'high' : 'medium',
+                confidence: 0.97,
+                layer: 1,
+                title: `${p.kind === 'only' ? 'Test isolation' : 'Skipped test'}: ${p.label} in ${file}:${line}`,
+                description: p.kind === 'only'
+                    ? `\`${match[0].replace(/\($/, '')}\` causes the entire test framework to run ONLY the marked block — every other test in the suite is silently skipped during CI. Merging this disables the whole test bed.`
+                    : `\`${match[0].replace(/\($/, '')}\` is a skipped test. Skips are useful during triage but rot fast when left without a tracking ticket or a delete plan.`,
+                evidence: [
+                    {
+                        file,
+                        range: { startLine: line, endLine: line },
+                        snippet: snippetAround(raw, line),
+                    },
+                ],
+                suggestion: p.kind === 'only'
+                    ? 'Remove the `.only` modifier before merging. Add an ESLint rule (e.g. `mocha/no-exclusive-tests` or `jest/no-focused-tests`) to fail CI on `.only` callsites.'
+                    : 'Either re-enable + fix the test, or delete it. If a skip is genuinely intentional, replace it with `it.todo(...)` and link the tracking ticket.',
+                fingerprint: `skip-tests:${stableHash(`${file}:${line}:${p.label}`)}`,
+            });
+        }
+    }
+    return out;
+}
+function isTestFile(file) {
+    const posix = file.replace(/\\/g, '/');
+    return /(?:^|\/)(__tests__|tests|test|spec)\//.test(posix)
+        || /\.(?:test|spec)\.(?:ts|tsx|js|jsx|mts|cts|mjs|cjs)$/.test(posix);
+}
+function lineOf(raw, idx) {
+    return raw.slice(0, idx).split('\n').length;
+}
+function snippetAround(raw, line) {
+    const lines = raw.split('\n');
+    const from = Math.max(0, line - 2);
+    const to = Math.min(lines.length, line + 2);
+    return lines.slice(from, to).join('\n');
+}
+//# sourceMappingURL=skip-tests.js.map

package/dist/detectors/skip-tests.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"skip-tests.js","sourceRoot":"","sources":["../../src/detectors/skip-tests.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAK9C,uEAAuE;AACvE,uCAAuC;AACvC,MAAM,UAAU,eAAe,CAAC,KAA6B;IAC3D,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;QACtB,IAAI,GAAG,IAAI,IAAI;YAAE,SAAS;QAC1B,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,aAAa,GAAgE;IACjF,EAAE,EAAE,EAAE,kCAAkC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE;IAC7E,EAAE,EAAE,EAAE,kCAAkC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE;IAC7E,EAAE,EAAE,EAAE,+BAA+B,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE;IAC/E,EAAE,EAAE,EAAE,yBAAyB,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE;CAC1E,CAAC;AAEF,SAAS,WAAW,CAAC,IAAY,EAAE,GAAW;IAC5C,MAAM,GAAG,GAAc,EAAE,CAAC;IAC1B,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;QAC9B,CAAC,CAAC,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;QACnB,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,KAAM,CAAC,CAAC;YACvC,GAAG,CAAC,IAAI,CAAC;gBACP,UAAU,EAAE,YAAY;gBACxB,QAAQ,EAAE,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;gBAC/C,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,CAAC;gBACR,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,cAAc,KAAK,CAAC,CAAC,KAAK,OAAO,IAAI,IAAI,IAAI,EAAE;gBAChG,WAAW,EACT,CAAC,CAAC,IAAI,KAAK,MAAM;oBACf,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,2KAA2K;oBAC7M,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,yHAAyH;gBAC/J,QAAQ,EAAE;oBACR;wBACE,IAAI;wBACJ,KAAK,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;wBACzC,OAAO,EAAE,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC;qBAClC;iBACF;gBACD,UAAU,EACR,CAAC,CAAC,IAAI,KAAK,MAAM;oBACf,CAAC,CAAC,8JAA8J;oBAChK,CAAC,CAAC,iJAAiJ;gBACvJ,WAAW,EAAE,cAAc,UAAU,CAAC,GAAG,IAAI,IAAI,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE;aACtE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACvC,OAAO,uCAAuC,CAAC,IAAI,CAAC,KAAK,CAAC;WACrD,qDAAqD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,MAAM,CAAC,GAAW,EAAE,GAAW;IACtC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;AAC9C,CAAC;AAED,SAAS,aAAa,CAAC,GAAW,EAAE,IAAY;IAC9C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;IACnC,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;IAC5C,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1C,CAAC"}

package/dist/detectors/todo-comments.d.ts

@@ -0,0 +1,29 @@
+import type { Finding } from '../types.js';
+/**
+ * todo-comments takes an OPTIONAL files list because the detector
+ * walks the workspace itself when omitted — that's how it picks up
+ * Python / Go / shell sources the TS parser ignores. The shared
+ * `FileWalkingDetectorInput` requires `files`, so this detector keeps
+ * its own shape rather than extending.
+ */
+export interface TodoCommentsDetectorInput {
+    workspaceRoot: string;
+    /**
+     * Optional pre-parsed file list. When omitted, the detector walks the
+     * workspace itself — useful for picking up Python / Go / shell files
+     * the TS parser does not visit.
+     */
+    files?: ReadonlyArray<string>;
+    /**
+     * Recognised markers (case-insensitive). Default covers the common
+     * ones used across JS / TS / Go / Rust / Python style guides.
+     */
+    markers?: ReadonlyArray<string>;
+    /**
+     * Max findings to emit. Default 60 — these are LOW signal and would
+     * otherwise drown the dashboard on legacy repos.
+     */
+    maxFindings?: number;
+}
+export declare function detectTodoComments(input: TodoCommentsDetectorInput): Finding[];
+//# sourceMappingURL=todo-comments.d.ts.map

package/dist/detectors/todo-comments.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"todo-comments.d.ts","sourceRoot":"","sources":["../../src/detectors/todo-comments.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAK3C;;;;;;GAMG;AACH,MAAM,WAAW,yBAAyB;IACxC,aAAa,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,KAAK,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9B;;;OAGG;IACH,OAAO,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAChC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAID,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,yBAAyB,GAAG,OAAO,EAAE,CAuD9E"}

package/dist/detectors/todo-comments.js

@@ -0,0 +1,154 @@
+import * as path from 'node:path';
+import { readFileSync, readdirSync, statSync } from 'node:fs';
+import { stableHash } from '../utils/hash.js';
+import { escapeForRegex } from '../utils/regex.js';
+import { loadGitignore } from '../utils/gitignore.js';
+// Inline TODO/FIXME/HACK/XXX/WTF/BUG/NOTE/REVIEW/DEPRECATED comments.
+// HACK/XXX/WTF/FIXME/BUG → MED, rest LOW.
+export function detectTodoComments(input) {
+    const markers = input.markers ?? DEFAULT_MARKERS;
+    const maxFindings = input.maxFindings ?? 60;
+    const findings = [];
+    // Build a single alternation regex so we make one pass per file.
+    const alt = markers.map((m) => escapeForRegex(m)).join('|');
+    const re = new RegExp(`(?:\\/\\/|\\/\\*+|\\#)\\s*(${alt})\\b[:!\\-]?\\s*(.*)`, 'gi');
+    // Use the caller-supplied file list when present; otherwise walk the
+    // workspace to pick up non-TS sources (Python / Go / shell) the
+    // TypeScript parser doesn't visit.
+    const files = input.files && input.files.length > 0 ? input.files : walkFiles(input.workspaceRoot);
+    for (const rel of files) {
+        if (findings.length >= maxFindings)
+            break;
+        if (!isAnalysable(rel))
+            continue;
+        const abs = path.resolve(input.workspaceRoot, rel);
+        let raw;
+        try {
+            raw = readFileSync(abs, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        const lines = raw.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            if (findings.length >= maxFindings)
+                break;
+            re.lastIndex = 0;
+            const m = re.exec(lines[i]);
+            if (!m)
+                continue;
+            const marker = m[1].toUpperCase();
+            const note = (m[2] ?? '').trim().slice(0, 160);
+            const line = i + 1;
+            const sev = severityFor(marker);
+            findings.push({
+                detectorId: 'todo-comments',
+                severity: sev,
+                confidence: 1,
+                layer: 1,
+                title: `${marker} comment in ${rel}:${line}${note ? ` — ${note}` : ''}`,
+                description: `Inline \`${marker}\` comment at \`${rel}:${line}\`. Tracking technical debt in source comments works for a sprint or two and then rots — these accumulate and nobody knows which ones are still relevant.`,
+                evidence: [
+                    {
+                        file: rel,
+                        range: { startLine: line, endLine: line },
+                        snippet: snippetAround(lines, line),
+                    },
+                ],
+                suggestion: 'Move actionable items to your issue tracker and link the ticket from the comment, or delete the comment if it has become obsolete. Repo-wide grep for stale markers is a useful periodic chore.',
+                fingerprint: `todo-comments:${stableHash(`${rel}:${line}:${marker}:${note}`)}`,
+            });
+        }
+    }
+    return findings;
+}
+const DEFAULT_MARKERS = [
+    'TODO',
+    'FIXME',
+    'HACK',
+    'XXX',
+    'BUG',
+    'NOTE',
+    'REVIEW',
+    'WTF',
+    'DEPRECATED',
+    'DEPRECATE',
+];
+function severityFor(marker) {
+    switch (marker) {
+        case 'HACK':
+        case 'XXX':
+        case 'WTF':
+        case 'FIXME':
+        case 'BUG':
+            return 'medium';
+        case 'TODO':
+        case 'NOTE':
+        case 'REVIEW':
+        case 'DEPRECATED':
+        case 'DEPRECATE':
+        default:
+            return 'low';
+    }
+}
+/**
+ * Recursive workspace walk that returns relative file paths matching
+ * `isAnalysable`. Stops at conventional skip-dirs (node_modules, dist,
+ * build, .git, …) so big legacy repos don't blow the file budget.
+ */
+function walkFiles(root) {
+    const out = [];
+    // Path exclusions come from `.gitignore` + `.rothunterignore` only.
+    // The matcher always bakes in `node_modules` + `.git` so a workspace
+    // without ignore files still walks something sensible.
+    const gitignore = loadGitignore(root);
+    const stack = [''];
+    while (stack.length > 0) {
+        const rel = stack.pop();
+        const abs = rel ? path.join(root, rel) : root;
+        let entries;
+        try {
+            entries = readdirSync(abs);
+        }
+        catch {
+            continue;
+        }
+        for (const name of entries) {
+            const childRel = rel ? path.join(rel, name) : name;
+            const posixRel = childRel.replace(/\\/g, '/');
+            const childAbs = path.join(root, childRel);
+            let s;
+            try {
+                s = statSync(childAbs);
+            }
+            catch {
+                continue;
+            }
+            if (s.isDirectory()) {
+                if (gitignore.ignores(posixRel + '/'))
+                    continue;
+                stack.push(childRel);
+            }
+            else if (s.isFile() && isAnalysable(childRel)) {
+                if (gitignore.ignores(posixRel))
+                    continue;
+                out.push(posixRel);
+            }
+        }
+    }
+    return out;
+}
+function isAnalysable(file) {
+    const posix = file.replace(/\\/g, '/');
+    return /\.(?:ts|tsx|mts|cts|js|jsx|mjs|cjs|py|go|rs|java|kt|swift|rb|php|sql|sh|yaml|yml|toml)$/.test(posix)
+        && !/\.d\.ts$/.test(posix)
+        && !/(^|\/)node_modules\//.test(posix)
+        && !/(^|\/)dist\//.test(posix)
+        && !/(^|\/)build\//.test(posix);
+}
+function snippetAround(lines, line) {
+    const from = Math.max(0, line - 2);
+    const to = Math.min(lines.length, line + 1);
+    return lines.slice(from, to).join('\n');
+}
+//# sourceMappingURL=todo-comments.js.map

package/dist/detectors/todo-comments.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"todo-comments.js","sourceRoot":"","sources":["../../src/detectors/todo-comments.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE9D,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AA6BtD,sEAAsE;AACtE,0CAA0C;AAC1C,MAAM,UAAU,kBAAkB,CAAC,KAAgC;IACjE,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,eAAe,CAAC;IACjD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC;IAC5C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,iEAAiE;IACjE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5D,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,8BAA8B,GAAG,sBAAsB,EAAE,IAAI,CAAC,CAAC;IAErF,qEAAqE;IACrE,gEAAgE;IAChE,mCAAmC;IACnC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAEnG,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,IAAI,QAAQ,CAAC,MAAM,IAAI,WAAW;YAAE,MAAM;QAC1C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC;YAAE,SAAS;QACjC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;QACnD,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,QAAQ,CAAC,MAAM,IAAI,WAAW;gBAAE,MAAM;YAC1C,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;YACjB,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC;YAC7B,IAAI,CAAC,CAAC;gBAAE,SAAS;YACjB,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC/C,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YACnB,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC;gBACZ,UAAU,EAAE,eAAe;gBAC3B,QAAQ,EAAE,GAAG;gBACb,UAAU,EAAE,CAAC;gBACb,KAAK,EAAE,CAAC;gBACR,KAAK,EAAE,GAAG,MAAM,eAAe,GAAG,IAAI,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;gBACvE,WAAW,EACT,YAAY,MAAM,mBAAmB,GAAG,IAAI,IAAI,2JAA2J;gBAC7M,QAAQ,EAAE;oBACR;wBACE,IAAI,EAAE,GAAG;wBACT,KAAK,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;wBACzC,OAAO,EAAE,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC;qBACpC;iBACF;gBACD,UAAU,EACR,iMAAiM;gBACnM,WAAW,EAAE,iBAAiB,UAAU,CAAC,GAAG,GAAG,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC,EAAE;aAC/E,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,eAAe,GAAG;IACtB,MAAM;IACN,OAAO;IACP,MAAM;IACN,KAAK;IACL,KAAK;IACL,MAAM;IACN,QAAQ;IACR,KAAK;IACL,YAAY;IACZ,WAAW;CACZ,CAAC;AAEF,SAAS,WAAW,CAAC,MAAc;IACjC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM,CAAC;QACZ,KAAK,KAAK,CAAC;QACX,KAAK,KAAK,CAAC;QACX,KAAK,OAAO,CAAC;QACb,KAAK,KAAK;YACR,OAAO,QAAQ,CAAC;QAClB,KAAK,MAAM,CAAC;QACZ,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC;QACd,KAAK,YAAY,CAAC;QAClB,KAAK,WAAW,CAAC;QACjB;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,oEAAoE;IACpE,qEAAqE;IACrE,uDAAuD;IACvD,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IACtC,MAAM,KAAK,GAAa,CAAC,EAAE,CAAC,CAAC;IAC7B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,EAAG,CAAC;QACzB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9C,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YACH,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,MAAM,QAAQ,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACnD,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC3C,IAAI,CAAC,CAAC;YACN,IAAI,CAAC;gBACH,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;gBACpB,IAAI,SAAS,CAAC,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC;oBAAE,SAAS;gBAChD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvB,CAAC;iBAAM,IAAI,CAAC,CAAC,MAAM,EAAE,IAAI,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChD,IAAI,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBAC1C,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACvC,OAAO,yFAAyF,CAAC,IAAI,CAAC,KAAK,CAAC;WACvG,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;WACvB,CAAC,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC;WACnC,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;WAC3B,CAAC,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,aAAa,CAAC,KAA4B,EAAE,IAAY;IAC/D,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;IACnC,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;IAC5C,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1C,CAAC"}

package/dist/detectors/unused-deps.d.ts

@@ -0,0 +1,8 @@
+import type { ImportRecord } from '../graph/import-graph.js';
+import type { Finding } from '../types.js';
+export interface UnusedDepsDetectorInput {
+    workspaceRoot: string;
+    imports: ReadonlyArray<ImportRecord>;
+}
+export declare function detectUnusedDeps(input: UnusedDepsDetectorInput): Finding[];
+//# sourceMappingURL=unused-deps.d.ts.map

package/dist/detectors/unused-deps.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unused-deps.d.ts","sourceRoot":"","sources":["../../src/detectors/unused-deps.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAI3C,MAAM,WAAW,uBAAuB;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;CACtC;AAID,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,EAAE,CAqD1E"}

package/dist/detectors/unused-deps.js

@@ -0,0 +1,115 @@
+import * as path from 'node:path';
+import { existsSync, readFileSync } from 'node:fs';
+import { stableHash } from '../utils/hash.js';
+import { escapeForRegex } from '../utils/regex.js';
+// dependencies + peerDependencies declared but never imported. LOW.
+// Skips devDeps, workspace:* entries, known runtime loaders (tsx, …).
+export function detectUnusedDeps(input) {
+    const pkgPath = path.join(input.workspaceRoot, 'package.json');
+    if (!existsSync(pkgPath))
+        return [];
+    let raw;
+    try {
+        raw = readFileSync(pkgPath, 'utf-8');
+    }
+    catch {
+        return [];
+    }
+    let pkg;
+    try {
+        pkg = JSON.parse(raw);
+    }
+    catch {
+        return [];
+    }
+    const declared = new Set();
+    for (const k of Object.keys(pkg.dependencies ?? {}))
+        declared.add(k);
+    for (const k of Object.keys(pkg.peerDependencies ?? {}))
+        declared.add(k);
+    const used = new Set();
+    for (const imp of input.imports) {
+        if (imp.target)
+            continue; // resolved to a workspace path → not an npm dep
+        const pkgName = parsePackageName(imp.specifier);
+        if (pkgName)
+            used.add(pkgName);
+    }
+    const out = [];
+    for (const dep of declared) {
+        if (used.has(dep))
+            continue;
+        if (RUNTIME_LOADERS.has(dep))
+            continue;
+        if ((pkg.dependencies?.[dep] ?? '').startsWith('workspace:'))
+            continue;
+        const line = findLineInJson(raw, dep);
+        out.push({
+            detectorId: 'unused-deps',
+            severity: 'low',
+            confidence: 0.85,
+            layer: 1,
+            title: `Unused dependency: \`${dep}\` in package.json`,
+            description: `\`${dep}\` is declared in \`dependencies\` (or \`peerDependencies\`) but never imported across the workspace. Unused deps inflate the lockfile + the install footprint and complicate audits.`,
+            evidence: [
+                {
+                    file: 'package.json',
+                    range: { startLine: line, endLine: line },
+                    snippet: snippetAround(raw, line),
+                },
+            ],
+            suggestion: `If genuinely unused, run \`npm uninstall ${dep}\` (or your package manager's equivalent). If the dep is loaded by name at runtime (plugin/CLI/loader pattern), add it to the runtime-loader allow-list.`,
+            fingerprint: `unused-deps:${stableHash(dep)}`,
+        });
+    }
+    return out;
+}
+const RUNTIME_LOADERS = new Set([
+    'tsx',
+    'ts-node',
+    'tsconfig-paths',
+    '@swc/register',
+    '@swc-node/register',
+    'esbuild-register',
+    'jiti',
+    'dotenv-cli',
+    'concurrently',
+    'rimraf',
+    'cross-env',
+]);
+function parsePackageName(specifier) {
+    if (!specifier || specifier.startsWith('.') || specifier.startsWith('/'))
+        return null;
+    if (specifier.startsWith('node:'))
+        return null;
+    // node builtins without prefix:
+    if (BUILTINS.has(specifier.split('/')[0]))
+        return null;
+    if (specifier.startsWith('@')) {
+        const parts = specifier.split('/');
+        if (parts.length < 2)
+            return null;
+        return `${parts[0]}/${parts[1]}`;
+    }
+    return specifier.split('/')[0];
+}
+const BUILTINS = new Set([
+    'fs', 'path', 'os', 'http', 'https', 'crypto', 'util', 'events', 'stream', 'buffer',
+    'child_process', 'url', 'querystring', 'zlib', 'tty', 'net', 'tls', 'dns', 'cluster',
+    'worker_threads', 'perf_hooks', 'assert', 'process', 'readline', 'string_decoder',
+    'vm', 'v8', 'inspector', 'async_hooks', 'timers', 'dgram',
+]);
+function findLineInJson(raw, key) {
+    const re = new RegExp(`"${escapeForRegex(key)}"\\s*:`);
+    const m = re.exec(raw);
+    if (!m)
+        return 1;
+    return raw.slice(0, m.index).split('\n').length;
+}
+function snippetAround(raw, line) {
+    const lines = raw.split('\n');
+    const from = Math.max(0, line - 1);
+    const to = Math.min(lines.length, line + 1);
+    return lines.slice(from, to).join('\n');
+}
+//# sourceMappingURL=unused-deps.js.map

package/dist/detectors/unused-deps.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unused-deps.js","sourceRoot":"","sources":["../../src/detectors/unused-deps.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAGnD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAOnD,oEAAoE;AACpE,sEAAsE;AACtE,MAAM,UAAU,gBAAgB,CAAC,KAA8B;IAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;IAC/D,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IACpC,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,GAAgB,CAAC;IACrB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;QAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACrE,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,gBAAgB,IAAI,EAAE,CAAC;QAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAEzE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAChC,IAAI,GAAG,CAAC,MAAM;YAAE,SAAS,CAAC,gDAAgD;QAC1E,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,OAAO;YAAE,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,GAAG,GAAc,EAAE,CAAC;IAC1B,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAC5B,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACvC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC;YAAE,SAAS;QACvE,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACtC,GAAG,CAAC,IAAI,CAAC;YACP,UAAU,EAAE,aAAa;YACzB,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,IAAI;YAChB,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,wBAAwB,GAAG,oBAAoB;YACtD,WAAW,EACT,KAAK,GAAG,uLAAuL;YACjM,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,cAAc;oBACpB,KAAK,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;oBACzC,OAAO,EAAE,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC;iBAClC;aACF;YACD,UAAU,EACR,4CAA4C,GAAG,0JAA0J;YAC3M,WAAW,EAAE,eAAe,UAAU,CAAC,GAAG,CAAC,EAAE;SAC9C,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAOD,MAAM,eAAe,GAAG,IAAI,GAAG,CAAS;IACtC,KAAK;IACL,SAAS;IACT,gBAAgB;IAChB,eAAe;IACf,oBAAoB;IACpB,kBAAkB;IAClB,MAAM;IACN,YAAY;IACZ,cAAc;IACd,QAAQ;IACR,WAAW;CACZ,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,SAAiB;IACzC,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACtF,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,gCAAgC;IAChC,IAAI,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IACxD,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAClC,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IACnC,CAAC;IACD,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;AAClC,CAAC;AAED,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAS;IAC/B,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IACnF,eAAe,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS;IACpF,gBAAgB,EAAE,YAAY,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,gBAAgB;IACjF,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO;CAC1D,CAAC,CAAC;AAEH,SAAS,cAAc,CAAC,GAAW,EAAE,GAAW;IAC9C,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACvD,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACvB,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC;IACjB,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;AAClD,CAAC;AAGD,SAAS,aAAa,CAAC,GAAW,EAAE,IAAY;IAC9C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;IACnC,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;IAC5C,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1C,CAAC"}

package/dist/extraction/api-race-confirmer.d.ts

@@ -0,0 +1,31 @@
+import { z } from 'zod';
+import { LlmClient } from '../adapters/llm.js';
+declare const VerdictSchema: z.ZodObject<{
+    race: z.ZodBoolean;
+    confidence: z.ZodNumber;
+    reason: z.ZodString;
+}, z.core.$strip>;
+export type ApiRaceVerdict = z.infer<typeof VerdictSchema>;
+export interface ApiRaceCheckInput {
+    method: string;
+    pathPattern: string;
+    /** Comma-separated client identifiers detected on the cluster. */
+    clients: string;
+    /** Up to 8 call sites with their enclosing function source slice. */
+    sites: ReadonlyArray<{
+        file: string;
+        line: number;
+        enclosingName?: string;
+        enclosingSource: string;
+    }>;
+}
+export declare class ApiRaceConfirmer {
+    private llm;
+    private cache;
+    constructor(llm?: LlmClient);
+    confirm(input: ApiRaceCheckInput): Promise<ApiRaceVerdict | null>;
+    private callOnce;
+    private callChunked;
+}
+export {};
+//# sourceMappingURL=api-race-confirmer.d.ts.map

package/dist/extraction/api-race-confirmer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-race-confirmer.d.ts","sourceRoot":"","sources":["../../src/extraction/api-race-confirmer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAA0B,MAAM,oBAAoB,CAAC;AAYvE,QAAA,MAAM,aAAa;;;;iBAIjB,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAC;AAE3D,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,kEAAkE;IAClE,OAAO,EAAE,MAAM,CAAC;IAChB,qEAAqE;IACrE,KAAK,EAAE,aAAa,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC,CAAC;CACJ;AAgDD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,GAAG,CAAY;IACvB,OAAO,CAAC,KAAK,CAAqC;gBAEtC,GAAG,CAAC,EAAE,SAAS;IAIrB,OAAO,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;YAoBzD,QAAQ;YAwBR,WAAW;CAa1B"}

package/dist/extraction/api-race-confirmer.js

@@ -0,0 +1,110 @@
+import { z } from 'zod';
+import { createDefaultLlmClient } from '../adapters/llm.js';
+import { parseLlmJsonResponse } from '../utils/llm-json.js';
+import { logger } from '../utils/logger.js';
+import { prepareSites, estimatePromptChars, splitIntoChunks, aggregateChunkVerdicts, PROMPT_BUDGET_CHARS, } from './prompt-chunking.js';
+const VerdictSchema = z.object({
+    race: z.boolean(),
+    confidence: z.number().min(0).max(1),
+    reason: z.string(),
+});
+const PROMPT = `You are reviewing a static-analysis finding about a mutating HTTP call (PUT / PATCH / POST / DELETE) issued by multiple TypeScript functions from different files against the same URL pattern. Decide: is this a REAL cross-flow race (two independent flows can fire the write concurrently and the second overwrites the first) or SAFE (one of the callers is a test, all callers share a retry helper, the body is idempotent, or the writes use If-Match / ETag optimistic locking)?
+
+Output ONE compact JSON object and STOP:
+{"race": boolean, "confidence": <0..1>, "reason": "<max 22 words>"}
+
+Decision rules (apply IN ORDER — first match wins):
+
+1. **Test-only counterpart** — STRICT trigger: one caller's FILE PATH literally contains \`__tests__/\`, \`tests/\`, \`.test.ts\`, or \`.spec.ts\`, OR the function name begins with \`test_\` / \`it_\` / \`describe_\`. Mere fixture-style file names like \`case_*\` / \`*_a.ts\` / \`*_b.ts\` are NOT test markers. Suffixes like \`_web\` / \`_worker\` / \`_api\` / \`_cron\` are NOT test markers. → safe, confidence ≥ 0.85.
+
+2. **Idempotent body** — every caller sends a CONSTANT or static value in the request body (\`{ status: 'active' }\`, \`{ enabled: true }\`, \`new Date()\`, \`{}\`). The value must NOT depend on a function parameter that callers fill in differently. → safe, confidence ≥ 0.85.
+
+3. **Optimistic locking** — every caller sets an \`If-Match\` / \`If-Unmodified-Since\` / \`X-Resource-Version\` header (literal token \`If-Match\` or \`etag\` visible in the snippets of EVERY caller). → safe, confidence ≥ 0.8.
+
+4. **Retry / single-flight wrapper** — STRICT trigger: one of the snippets contains a literal retry-helper definition (function whose name contains \`retry\`, \`backoff\`, \`withRetries\`, \`singleFlight\`) AND the other caller IMPORTS or CALLS that helper around the HTTP write. A mere caller name like \`*WithRetries\` is not enough on its own — the snippets must show the helper. → safe, confidence ≥ 0.75.
+
+5. **Variable host (opaque upstream)** — the cluster path begins with \`/:param/\` (because the host portion of every URL in the snippets is itself a template variable, not a literal). In the snippets, EVERY URL is built by concatenating a host variable (commonly named \`baseUrl\`, \`this.baseUrl\`, \`apiUrl\`, \`endpoint\`, \`host\`, \`server\`) with the path. The actual upstream service is opaque to static analysis — two snippets may point at the SAME service (race) or at DIFFERENT services at runtime (safe). Common real-world case: two modules implementing OpenAI-compatible / vLLM clients against \`/chat/completions\` or \`/v1/embed\`, each parameterising the host via env-var / constructor. Without proof of host equality, treat as low-confidence race. → race: true, confidence 0.55. THIS RULE TAKES PRIORITY OVER RULE 6.
+
+6. **Independent flows** — caller names or file basenames mention two unrelated owners. Common signal tokens: \`webhook\`, \`worker\`, \`cron\`, \`bot\`, \`consumer\`, \`browser\`, \`web\`, \`mobile\`, \`service\`, \`api\`, \`handler\`, \`scheduler\`, \`background\`. Body uses request-specific data that differs between flows, AND the path host is NOT a template variable. → race, confidence ≥ 0.85.
+
+7. **Default** — mutating HTTP call from two distinct files, no idempotent body, no etag header in the snippets, no explicit test path, no variable host. → race, confidence ≥ 0.8.
+
+8. Unclear → \`race: true, confidence: 0.6\`.
+
+Strictness notes:
+- Rule 1 ONLY fires when the file PATH contains a literal test marker (\`__tests__\`, \`tests/\`, \`.test.ts\`, \`.spec.ts\`). Fixture-style identifiers (\`case_01_*\`, \`_a.ts\`, \`_b.ts\`) and owner-style suffixes (\`_web\`, \`_worker\`, \`_api\`, \`_cron\`, \`_service\`) are NOT test markers — they ARE the independent-flow signal of rule 6.
+- Rule 4 ONLY fires when a retry helper definition is actually visible in the supplied snippets. Do NOT assume a retry helper exists.
+- For rule 2: the value is idempotent only if it is a constant or monotonic. Parameters passed into the caller (\`body\`, \`payload\`) make it NOT idempotent.
+- Rule 5 catches a real-world FP class: two modules implementing OpenAI-compatible / vLLM-compatible / generic-HTTP API clients against \`/chat/completions\`, \`/v1/embed\`, etc., each parameterising the host via env-var or constructor. The path looks racy but the upstream service is opaque.
+
+Cluster: \`{{METHOD}} {{PATH}}\` (clients: {{CLIENTS}})
+
+Call sites:
+\`\`\`
+{{SITES}}
+\`\`\`
+`;
+function renderSites(sites) {
+    return sites
+        .map((s, i) => {
+        const header = `[${i + 1}] ${s.file}:${s.line}${s.enclosingName ? ` — ${s.enclosingName}` : ''}`;
+        return `${header}\n${s.enclosingSource}`;
+    })
+        .join('\n---\n');
+}
+export class ApiRaceConfirmer {
+    llm;
+    cache = new Map();
+    constructor(llm) {
+        this.llm = llm ?? createDefaultLlmClient();
+    }
+    async confirm(input) {
+        const cacheKey = `${input.method} ${input.pathPattern}::${input.clients}::${input.sites
+            .map((s) => `${s.file}:${s.line}`)
+            .sort()
+            .join(',')}`;
+        const cached = this.cache.get(cacheKey);
+        if (cached)
+            return cached;
+        const sites = prepareSites(input.sites);
+        const singleCallChars = estimatePromptChars(PROMPT, sites);
+        let verdict;
+        if (singleCallChars <= PROMPT_BUDGET_CHARS) {
+            verdict = await this.callOnce(input, sites);
+        }
+        else {
+            verdict = await this.callChunked(input, sites);
+        }
+        if (verdict)
+            this.cache.set(cacheKey, verdict);
+        return verdict;
+    }
+    async callOnce(input, sites) {
+        const prompt = PROMPT.replace('{{METHOD}}', input.method)
+            .replace('{{PATH}}', input.pathPattern)
+            .replace('{{CLIENTS}}', input.clients)
+            .replace('{{SITES}}', renderSites(sites));
+        try {
+            const raw = await this.llm.chat([{ role: 'user', content: prompt }], { temperature: 0, maxTokens: 128 });
+            const parsed = parseLlmJsonResponse(raw);
+            return VerdictSchema.parse(parsed);
+        }
+        catch (err) {
+            logger.warn({ err: err.message, method: input.method, path: input.pathPattern }, 'ApiRaceConfirmer failed; returning null');
+            return null;
+        }
+    }
+    async callChunked(input, sites) {
+        const chunks = splitIntoChunks(sites);
+        const chunkVerdicts = [];
+        for (const chunk of chunks) {
+            const v = await this.callOnce(input, chunk);
+            if (v)
+                chunkVerdicts.push(v);
+        }
+        if (chunkVerdicts.length === 0)
+            return null;
+        return aggregateChunkVerdicts(chunkVerdicts);
+    }
+}
+//# sourceMappingURL=api-race-confirmer.js.map

package/dist/extraction/api-race-confirmer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-race-confirmer.js","sourceRoot":"","sources":["../../src/extraction/api-race-confirmer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAa,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EACL,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,sBAAsB,EACtB,mBAAmB,GAEpB,MAAM,sBAAsB,CAAC;AAE9B,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;IACjB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACpC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;CACnB,CAAC,CAAC;AAkBH,MAAM,MAAM,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmCd,CAAC;AAEF,SAAS,WAAW,CAAC,KAAiC;IACpD,OAAO,KAAK;SACT,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACZ,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACjG,OAAO,GAAG,MAAM,KAAK,CAAC,CAAC,eAAe,EAAE,CAAC;IAC3C,CAAC,CAAC;SACD,IAAI,CAAC,SAAS,CAAC,CAAC;AACrB,CAAC;AAED,MAAM,OAAO,gBAAgB;IACnB,GAAG,CAAY;IACf,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAC;IAElD,YAAY,GAAe;QACzB,IAAI,CAAC,GAAG,GAAG,GAAG,IAAI,sBAAsB,EAAE,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAwB;QACpC,MAAM,QAAQ,GAAG,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,WAAW,KAAK,KAAK,CAAC,OAAO,KAAK,KAAK,CAAC,KAAK;aACpF,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;aACjC,IAAI,EAAE;aACN,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,eAAe,GAAG,mBAAmB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC3D,IAAI,OAA8B,CAAC;QACnC,IAAI,eAAe,IAAI,mBAAmB,EAAE,CAAC;YAC3C,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACjD,CAAC;QACD,IAAI,OAAO;YAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC/C,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,QAAQ,CACpB,KAAwB,EACxB,KAAoB;QAEpB,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,KAAK,CAAC,MAAM,CAAC;aACtD,OAAO,CAAC,UAAU,EAAE,KAAK,CAAC,WAAW,CAAC;aACtC,OAAO,CAAC,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC;aACrC,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;QAC5C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAC7B,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,EACnC,EAAE,WAAW,EAAE,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,CACnC,CAAC;YACF,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;YACzC,OAAO,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CACT,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,WAAW,EAAE,EAC9E,yCAAyC,CAC1C,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,WAAW,CACvB,KAAwB,EACxB,KAAoB;QAEpB,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QACtC,MAAM,aAAa,GAAqB,EAAE,CAAC;QAC3C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YAC5C,IAAI,CAAC;gBAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5C,OAAO,sBAAsB,CAAC,aAAa,CAAC,CAAC;IAC/C,CAAC;CACF"}

package/dist/extraction/llm-confirmer.d.ts

@@ -0,0 +1,25 @@
+import { z } from 'zod';
+import { LlmClient } from '../adapters/llm.js';
+import type { SymbolRecord } from '../types.js';
+declare const ConfirmationSchema: z.ZodObject<{
+    same_concept: z.ZodBoolean;
+    confidence: z.ZodNumber;
+    reason: z.ZodString;
+}, z.core.$strip>;
+export type ConfirmationResult = z.infer<typeof ConfirmationSchema>;
+export declare class LlmConfirmer {
+    private llm;
+    private cache;
+    constructor(llm?: LlmClient);
+    confirmSameConcept(a: SymbolRecord, b: SymbolRecord, 
+    /**
+     * Project conventions text (CLAUDE.md / AGENTS.md / etc., already
+     * concatenated and truncated). When present, the verdict weighs
+     * project-stated rules — e.g. "three similar lines is better than
+     * premature abstraction" turns this into `same_concept: false` even
+     * on a tight skeleton match.
+     */
+    projectConventions?: string): Promise<ConfirmationResult | null>;
+}
+export {};
+//# sourceMappingURL=llm-confirmer.d.ts.map

package/dist/extraction/llm-confirmer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-confirmer.d.ts","sourceRoot":"","sources":["../../src/extraction/llm-confirmer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAA0B,MAAM,oBAAoB,CAAC;AAGvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,QAAA,MAAM,kBAAkB;;;;iBAItB,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAwDpE,qBAAa,YAAY;IACvB,OAAO,CAAC,GAAG,CAAY;IACvB,OAAO,CAAC,KAAK,CAAyC;gBAE1C,GAAG,CAAC,EAAE,SAAS;IAIrB,kBAAkB,CACtB,CAAC,EAAE,YAAY,EACf,CAAC,EAAE,YAAY;IACf;;;;;;OAMG;IACH,kBAAkB,CAAC,EAAE,MAAM,GAC1B,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;CA+CtC"}